Conventional approaches provide management access to host ports in a Storage Area Network (SAN) and a Network Attached Storage (NAS) in a number of ways. One approach is to implement a password. A user is asked for a username and password with the help of a Graphical User Interface (GUI) implemented in suitable SAN management software. After entering the current credentials, the SAN components can be managed.
Password mechanisms implemented through SAN management software are subject to risks. In a case where the password is broken, or unauthorized users become aware of the password, complete access to the array is obtained. Unauthorized users would then be free to use the array at will. Such a threat continues unless the array involves an enhanced security procedure. Would-be attackers have innumerable attack vectors, methods, and tools available.
Another conventional approach implements Access Control Lists (ACLS) to allow or deny the addition of a new host to the system fabric. Access lists can allow one host the right to access a certain part of the storage resources and deny another host that same access. Access control lists provide a basic level of security for accessing the storage resources.
Another conventional approach implements authenticating the identity of a new host with a Public Key Infrastructures (PKI) mechanism. Such an approach prevents an unauthorized intruder host from attaching to the fabric via any port. Such an approach has the disadvantage of requiring the explicit definition of the ability of the host to log into the host port.
Another conventional approach implements Logical Unit Number (LUN) masking which makes a LUN available to some hosts and unavailable to other hosts. Servers can attempt to write volume labels to all available LUNs. This can render the LUNs unusable by other operating systems and can result in data loss.
Another conventional approach implements assigning a unique ID to the host. Persistent binding is a host-centric enforced way of directing an operating system to assign certain Small Computer System Interface (SCSI) target IDs and LUNs. For example, a specific host will generally assign an SCSI target ID to the first router found and assign LUNs to three tape drives attached to the router. Operating systems and upper-level applications (i.e., backup software) typically require a static or predictable SCSI target ID for their storage reliability.
Another conventional approach implements an encryption engine to scramble and descramble the data and a key manager (hardware appliance or software) to create, manage, and store the encryption keys. The encryption engine has a unique public/private key pair for each device connected to the key manager. Another conventional approach implements parameter of restriction for remote access mechanism such as telnet, HTTP, and API.
However, the conventional approaches mentioned above have drawbacks. Conventional approaches can allow inappropriate privileges to change data, such as editing, deleting, corrupting, or otherwise modifying sensitive data on a just a bunch of drives (JBOD) storage system, disk array, or other storage devices.
Conventional approaches can also allow inappropriate use of resources for an organization, such as removing or impairing access to a resources with a Denial of Service (DOS) attack and using a compromised dual-homed host with a Host Bus Adapter (HBA) to access SAN resources and read, store, or distribute illegal files. Conventional approaches can also allow inappropriate access to view data, such as viewing confidential email or sensitive data files. If a LUN is masked by a host, then the LUN cannot be employed in case of a clustered environment since the LUN is shared by cluster nodes. In such a case, the LUN mechanism is modified.
It would be desirable to implement a method to provide chip based security for I/O packets in an array using dynamic topology.